Improve Palo Alto user-id mapping using a single POST req

server/package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "ifms-gql-server",
-  "version": "2.1.0",
+  "version": "2.3.0",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "ifms-gql-server",
-      "version": "2.1.0",
+      "version": "2.3.0",
       "license": "ISC",
       "dependencies": {
         "@babel/polyfill": "^7.12.1",
@@ -24,6 +24,7 @@
         "node-cron": "^2.0.3",
         "node-unifi": "^1.3.8",
         "oui": "^11.0.44",
+        "qs": "^6.7.0",
         "uuid": "^8.3.1"
       },
       "devDependencies": {

server/package.json

@@ -49,6 +49,7 @@
     "node-cron": "^2.0.3",
     "node-unifi": "^1.3.8",
     "oui": "^11.0.44",
+    "qs": "^6.7.0",
     "uuid": "^8.3.1"
   }
 }

server/src/utils/paloalto.js

@@ -1,8 +1,9 @@
 import axios from 'axios'
 import prisma from '../prisma'
 import https from 'https'
+import qs from 'qs'
 
-const agent = new https.Agent({
+const httpsAgent = new https.Agent({
   rejectUnauthorized: false
 })
 
@@ -27,42 +28,54 @@ async function updateUserIdMappings() {
       }
     })
 
-    await Promise.all(
+    const entries = wifiDevices.reduce(
-      wifiDevices.map(async device => {
+      (entries, device, i) =>
-        const cmd = `
+        (entries += `<entry name="ifms\\${device.user.sAMAccountName}" ip="${device.ip}" timeout="5"/>`),
-            <uid-message> 
-              <version>1.0</version> 
-              <type>update</type> 
-              <payload> 
-                  <login> 
-                      <entry name="ifms\\${device.user.sAMAccountName}" ip="${device.ip}" timeout="5"> 
-                      </entry> 
-                  </login> 
-              </payload>
-            </uid-message>
-        `
-        return axios.get(
-          `https://${process.env.PA_HOST}/api/`,
 
-          {
+      ''
-            params: {
-              type: 'user-id',
-              cmd
-            },
-            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
-            httpsAgent: agent,
-            auth: {
-              username: process.env.PA_USER,
-              password: process.env.PA_PASSWORD
-            }
-          }
-        )
-      })
     )
 
+    const cmd = ` 
+      <uid-message> 
+      <version>1.0</version> 
+      <type>update</type> 
+      <payload> 
+        <login>
+        ${entries}
+        </login> 
+      </payload>
+      </uid-message> `
+
+    /*
+    https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-panorama-api/pan-os-xml-api-request-types/apply-user-id-mapping-and-populate-dynamic-address-groups-api.html
+    Use a GET request if the URL query size is less than 2K and a POST request if the request size is between 2K to 5MB. Limit the query size to 5MB.
+    When multiple login or logout events are generated at the same time, make sure to follow these guidelines to ensure optimal firewall performance:
+    Design your application to queue events and perform batch API updates instead of sending single event or mapping updates.
+    Limit the number of concurrent API calls to five. This limit ensures that there is no performance impact to the firewall web interface as the management plane web server handles requests from both the API and the web interface.
+    */
+
+    const result = await axios({
+      method: 'POST',
+      data: qs.stringify({
+        cmd
+      }),
+      url: `https://${process.env.PA_HOST}/api/`,
+      params: {
+        type: 'user-id'
+      },
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded'
+      },
+      auth: {
+        username: process.env.PA_USER,
+        password: process.env.PA_PASSWORD
+      },
+      httpsAgent
+    })
+
     return wifiDevices.length
   } catch (e) {
-    console.log('Error updating user-id mappings:', e.message)
+    console.log('Error updating user-id mappings:', e)
     return 'Não foi possível atualizar. Veja o log do servidor'
   } finally {
     setTimeout(() => {